When I ran into the phrase “threat hunting” 5 years ago, I was confused. It was being treated as, and talked about, as some sort of highly specialised activity requiring special skills and techniques. But I saw it as the basic, fundamental activity of a security analyst: you review the logs, look for anomalies, and chase down things that don’t look right.
And from that angle, there is no difference between doing that and devising new SIEM use cases, except that a SIEM use case automates the specific process.
However, the term “threat hunting” has been mutated beyond its original meaning, just like people use the term “AI” when they really mean “statistical analysis”. Threat hunting can mean “log analysis” in some contexts or it can mean “discovering something no one has discovered before”.
Threat hunting is a free-form exploration of complex data to look for anomalous patterns. In its pure form, it cannot be automated.
A SIEM automates specific searches and analyses, usually based on the results of threat hunting where it is possible to look for a specific pattern. SIEMs can’t find a novel pattern within complex data; humans can.
So, there is overlap between the two activities and one can lead to the other.